figured this might be interesting... I run just over 300 forums, for a monthly audience of 275k active users. most of this is on Linode instances and Hetzner instances, a couple of the larger fora go via Cloudflare, but the rest just hits the server.
and it's all being shut down.
the UK Online Safety Act creates a massive liability, and whilst at first glance the risk seems low the reality is that moderating people usually provokes ire from those people, if we had to moderate them because they were a threat to the community then they are usually the kind of people who get angry.
in 28 years of running forums, as a result of moderation I've had people try to get the domain revoked, fake copyright notices, death threats, stalkers (IRL and online)... as a forum moderator you are known, and you are a target, and the Online Safety Act creates a weapon that can be used against you. the risk is no longer hypothetical, so even if I got lawyers involved to be compliant I'd still have the liability and risk.
in over 28 years I've run close to 500 fora in total, and they've changed so many lives.
I created them to provide a way for those without families to build families, to catch the waifs and strays, and to try to hold back loneliness, depression, and the risk of isolation and suicide... and it worked, it still works.
but on 17th March 2025 it will become too much, no longer tenable, the personal liability and risks too significant.
I guess I'm just the first to name a date, and now we'll watch many small communities slowly shutter.
the Online Safety Act was supposed to hold big tech to account, but in fact they're the only ones who will be able to comply... it consolidates more on those platforms.
Is there some generalized law (yet) about unintended consequences? For example:
Increase fuel economy -> Introduce fuel economy standards -> Economic cars practically phased out in favour of guzzling "trucks" that are exempt from fuel economy standards -> Worse fuel economy.
or
Protect the children -> Criminalize activites that might in any way cause an increase in risk to children -> Best to just keep them indoors playing with electronic gadgets -> Increased rates of obesity/depression etc -> Children worse off.
As the article itself says: Hold big tech accountable -> Introduce rules so hard to comply with that only big tech will be able to comply -> Big tech goes on, but indie tech forced offline.
> Introduce rules so hard to comply with that only big tech will be able to comply
When intentional, this is Regulatory Capture. Per https://www.investopedia.com/terms/r/regulatory-capture.asp :
> Regulation inherently tends to raise the cost of entry into a regulated market because new entrants have to bear not just the costs of entering the market but also of complying with the regulations. Oftentimes regulations explicitly impose barriers to entry, such as licenses, permits, and certificates of need, without which one may not legally operate in a market or industry. Incumbent firms may even receive legacy consideration by regulators, meaning that only new entrants are subject to certain regulations.
A system with no regulation can be equally bad for consumers, though; there's a fine line between too little and too much regulation. The devil, as always, is in the details.
It's called "Perverse incentive" and Wikipedia runs an illustrative set of examples:
There's the Cobra Effect popularized by Freakonomics
Too many cobras > bounty for slain cobras > people start breeding them for the bounty > law is revoked > people release their cobras > even more cobras around
The Cobra Effect is an example of a Perverse Incentive, which is where an attempt to incentivize a behavior ends up incentivizing the opposite: https://en.wikipedia.org/wiki/Perverse_incentive
I think most of the examples fit this, but a few don't.
This also sounds similar to Goodhart's Law which states that “when a measure becomes a target, it ceases to be a good measure.”
Behold the failure to consider second order consequences when legislating rules.
Politicians should take a mandatory one-week training in:
- very basic macro economics
- very basic game theory
- very basic statistics
Come to think of it, kids should learn this in high school
I think you’re being overly charitable in thinking this happens because they don’t understand these things. The main thing is that they don’t care. The purpose of passing legislation to protect the children isn’t to protect the children, it’s to get reelected.
If we can get the voters to understand the things you mention, then maybe we’d have a chance.
It’s more than just politicians not caring: Big Tech firms hite people on millions of dollars per year to lobby and co-operate with governments, in order to ensure that processes like this result in favourable outcomes to them. See e.g. Nick Clegg.
I think you're being underly charitable. The vast majority of congress critters are pretty smart people, and by Jeff Jackson's account, even the ones who yell the loudest are generally reasonable behind closed doors due to incentives.
The problem is that the real problems are very hard, and their job is to simplify it to their constituents well enough to keep their jobs, which may or may not line up with doing the right thing.
This is a truly hard problem. CSAM is a real problem, and those who engage in its distribution are experts in subverting the system. So is freedom of expression. So is the onerous imposition of regulations.
And any such issue (whether it be transnational migration, or infrastructure, or EPA regulations in America, or whatever issue you want to bring up) is going to have some very complex tradeoffs and even if you have a set of Ph.Ds in the room with no political pressure, you are going to have uncomfortable tradeoffs.
What if the regulations are bad because the problem is so hard we can't make good ones, even with the best and brightest?
It's ridiculous to say that a bad law is better than no law at all. If the law has massive collateral damage and little-to-no demonstrated benefit then it's just a bad law and should never have been made.
It seems far too common that regulations are putting the liability / responsibility for a problem onto some group of people who are not the cause of the problem, and further, have limited power to do anything about the problem.
As they say, this is why we can't have nice things.
> What if the regulations are bad because the problem is so hard we can't make good ones, even with the best and brightest?
To begin with, the premise would have to be challenged. Many, many bad regulations are bad because of incompetence or corruption rather than because better regulations are impossible. But let's consider the case where there really are no good regulations.
This often happens in situations where e.g. bad actors have more resources, or are willing to spend more resources, to subvert a system than ordinary people. For example, suppose the proposal is to ban major companies from implementing end-to-end encryption so the police can spy on terrorists. Well, that's not going to work very well because the terrorists will just use a different system that provides E2EE anyway and what you're really doing is compromising the security of all the law-abiding people who are now more vulnerable to criminals and foreign espionage etc.
The answer in these cases, where there are only bad policy proposals, is to do nothing. Accept that you don't have a good solution and a bad solution makes things worse rather than better so the absence of any rule, imperfect as the outcome may be, is the best we know how to do.
The classical example of this is the First Amendment. People say bad stuff, we don't like it, they suck and should shut up. But there is nobody you can actually trust to be the decider of who gets to say what, so the answer is nobody decides for everybody and imposing government punishment for speech is forbidden.
> The answer in these cases, where there are only bad policy proposals, is to do nothing.
Or go further.
Sometimes the answer is to remove regulations. Specifically, those laws that protect wrongdoers and facilitators of problems. Then you just let nature take its course.
For the mostpart though, this is considered inhumane and unacceptable.
Sometimes we do exactly that. In general, if someone is trying to kill you, you are allowed to try and kill them right back. It's self-defense.
If you're talking about legalizing vigilantism, you would then have to argue that this is a better system and less prone to abuse than some variant of the existing law enforcement apparatus. Which, if you could do it, would imply that we actually should do that. But in general vigilantes have serious problems with accurately identifying targets and collateral damage.
Not quite my line of thinking but appreciate the reply. There's definitely an interesting debate to be had there about the difference between "legalizing vigilantism" and "not protecting criminals" (one that's been done to death in "hack back" debates).
It gets messy because, by definition the moment you remove the laws, the parties cease to be criminals... hence my Bushism "wrongdoers" (can't quite bring myself to say evil-doers :)
One hopes that "criminals" without explicit legal protection become disinclined to act, rather than become victims themselves. Hence my allusion to "nature", as in "Natural Law".
"Might is right" is no good situation either. But I feel there's a time and place for tactical selective removal of protectionism (and I am thinking giant corporations here) to re-balance things.
As a tepid example (not really relevant to this thread), keep copyright laws in place but only allow individuals to enforce them.
“Their job is to simplify it to their constituents well enough to keep their jobs” sounds awfully similar to what I’m saying. Maybe “don’t care” is a little too absolute, but it doesn’t make much difference if they don’t care or if they care but their priority is still keeping their jobs.
Politicians forced to learn statistics -> Politicians better prepared to understand consequences of their actions -> Politicians exploit economy better -> Everyone worse off -> Law to educate politicians is abolished -> Politicians exploit economy nevertheless
Seriously, the problem is not politicians being clueless about all the above, but having too much power which makes them think they need to solve everything.
This is the accurate scenario unfortunately.
I'd give you 100 upvotes if I could.
Except the gas guzzling large trucks seems to be a uniquely north american problem - because of the "work vehicle" loophole.
It is difficult to get a man to understand something when his re-election depends on him not understanding it.
So you are assuming politicians graduate high school? Not in my country.
What good would that do? Look who elects them!
I don't think these consequences are unintended.
I recall some laws in the US (or california?) were based on the size of the company (in revenue $$)
Too bad this isn't the case here.
This is what Javier Milei means when he says that everything politicians touch turns to shit and therefor government should be minimal.
It is also that big business can influence legislators, and small business cannot, so big business can influence regulation to their own advantage.
There's a whole YouTube playlist about that sort of thing: https://m.youtube.com/playlist?list=PLBuns9Evn1w9XhnH7vVh_7C...
I've heard it called "law of unintended consequences" and "cobra effect".
Why are gas-guzzling trucks exempt from fuel standards? (Genuine question)
Because they were a large fraction of cars manufactured by US companies, so not excluding them would have put the entire US auto industry out of business.
>Protect the children -> Criminalize activites that might in any way cause an increase in risk to children -> Best to just keep them indoors playing with electronic gadgets -> Increased rates of obesity/depression etc -> Children worse off.
Not sure how keeping kids off the internet keeps them indoors? Surely the opposite is true?
In the US at least, we’re at a point where letting your kids play in your yard is enough to get arrested and jailed with child endangerment. Within the last 30 days, a woman has been arrested and charged with child endangerment for the crime of… letting her child walk to the store [1] and others have been jailed for letting their child play outside [2].
So what do you do to entertain children? Use what you have. Dunk them on the internet via YouTube first and then let them free range because you’re tired and can’t give a fuck anymore.
^1 https://abcnews.go.com/amp/GMA/Family/mom-arrested-after-son... ^2 https://www.aol.com/news/2015-12-03-woman-gets-arrested-for-...
Thanks, I needed that. In a thread full of people criticising UK law, I am very happy to have a crazy US example to make me feel better.
No mention in that example of internet. If I had to think of specifics, he's probably talking about the things that fall under the category of "free range kids" but also result in parents being criminally prosecuted.
This is a discussion about the UK online safety act! That is about the internet isn't it?
The other example in the parent comment was about fuel economy and trucks. They're just generalized laws about unintended consequences.
I used to walk and ride my bike to school. I was in 4th grade. 9 years old.
You show me a 9-year-old walking alone to school today, and I'll show you a parent who's getting investigated for child neglect. It's maddening.
So that chain of consequences means today's kids are meant to be watched 24/7, and that usually means they're cooped up inside. They're still facing "Stranger Danger" (except through Snap or whatever games they're playing), and now they're also in poorer health.
Laws are meant to be dynamic. So you iterate on them as you get feedback from their implementation
> Laws are meant to be dynamic.
The US Supreme Court disagrees. https://www.dentons.com/en/insights/articles/2024/july/3/-/m...
The Supreme Court hasn’t and can’t say anything against laws being updated and changed. What they have prevented is those we have elected to make laws delegating that very authority to others.
Which in practice means that laws are not going to be updated and changed.
For the time being the US Supreme Court has no jurisdiction over the UK online safety act
I mean, that’s what I call “rules lawyering” in game parlance. When someone utilizes the rules in such a way as to cause legal harm in service of their own interests, regardless of the intent of said rules in preventing harm.
It’s why when a law/rule/standard has a carveout for its first edge case, it quickly becomes nothing but edge cases all the way down. And because language is ever-changing, rules lawyering is always possible - and governments must be ever-resistant to attempts to rules lawyer by bad actors.
Modern regulations are sorely needed, but we’ve gone so long without meaningful reform that the powers that be have captured any potential regulation before it’s ever begun. I would think most common-sense reforms would say that these rules should be more specific in intent and targeting only those institutions clearing a specific revenue threshold or user count, but even that could be exploited by companies with vast legal teams creating new LLCs for every thin sliver of services offered to wiggle around such guardrails, or scriptkiddies creating millions of bot accounts with a zero-day to trigger compliance requirements.
Regulation is a never-ending game. The only reason we “lost” is because our opponent convinced us that any regulation is bad. This law is awful and nakedly assaults indietech while protecting big tech, but we shouldn’t give up trying to untangle this mess and regulate it properly.
> I would think most common-sense reforms would say that these rules should be more specific in intent and targeting only those institutions clearing a specific revenue threshold or user count, but even that could be exploited by companies with vast legal teams creating new LLCs for every thin sliver of services offered to wiggle around such guardrails, or scriptkiddies creating millions of bot accounts with a zero-day to trigger compliance requirements.
This is what judges are for. A human judge can understand that the threshold is intended to apply across the parent company when there is shared ownership, and that bot accounts aren't real users. You only have to go back and fix it if they get it wrong.
> The only reason we “lost” is because our opponent convinced us that any regulation is bad. This law is awful and nakedly assaults indietech while protecting big tech, but we shouldn’t give up trying to untangle this mess and regulate it properly.
The people who passed this law didn't do so by arguing that any regulation is bad. The reason you lost is that your regulators are captured by the incumbents, and when that's the case any regulation is bad, because any regulation that passes under that circumstance will be the one that benefits the incumbents.
> Is there some generalized law (yet) about unintended consequences?
These are not unintended consequences. All media legislation of late has been to eliminate all but the companies that are largest and closest to government. Clegg works at Facebook now, they'd all be happy to keep government offices on the premises to ensure compliance; they'd even pay for them.
Western governments are encouraging monopolies in media (through legal pressure) in order to suppress speech through the voluntary cooperation of the companies who don't want to be destroyed. Those companies are not only threatened with the stick, but are given the carrots of becoming government contractors. There's a revolving door between their c-suites and government agencies. Their kids go to the same schools and sleep with each other.
"Gaming The Law"
We have something similar in Australia with the Online Safety Act 2021. I think this highlights a critical misunderstanding at the heart of the legislation: it imagines the internet as a handful of giant platforms rather than a rich tapestry of independent, community-driven spaces. The Online Safety Act’s broad, vague requirements and potential penalties are trivial hurdles for billion-dollar companies with in-house legal teams, compliance departments, and automatic moderation tooling. But for a single individual running a forum as a labour of love—or a small collective operating on volunteer time—this creates a legal minefield where any disgruntled user can threaten real financial and personal harm.
In practice, this means the local cycling forum that fostered trust, friendship, and even mental health support is at risk of vanishing, while the megacorps sail on without a scratch. Ironically, a measure allegedly designed to rein in “Big Tech” ends up discouraging small, independent communities and pushing users toward the same large platforms the legislation was supposedly targeting.
It’s discouraging to watch governments double down on complex, top-down solutions that ignore the cultural and social value of these smaller spaces. We need policy that recognises genuine community-led forums as a public good, encourages sustainable moderation practices, and holds bad actors accountable without strangling the grassroots projects that make the internet more human. Instead, this act risks hollowing out our online diversity, leaving behind a more homogenised, corporate-dominated landscape.
The actual OfCom code of practice is here: https://www.ofcom.org.uk/siteassets/resources/documents/onli...
A cycling site with 275k MAU would be in the very lowest category where compliance is things like 'having a content moderation function to review and assess suspected illegal content'. So having a report button.
This: OP seems to be throwing the baby out with the bathwater.
Im surprised they don’t already have some form of report/flag button.
I’m not so sure. It’s a layman’s interpretation, but I think any “forum” would be multi-risk.
That means you need to do CSAM scanning if you accept images, CSAM URL scanning if you accept links, and there’s a lot more than that to parse here.
OP isn't throwing the baby with the bathwater and he explains it very well in his post: the risk of being sued is too great in itself, even if you end up winning the lawsuit.
The general risk of being sued is always there regardless of the various things laws say.
I think there’s a pretty decent argument being made here that OP is reading too far in the new rules and letting the worst case scenario get in the way of something they’re passionate about.
I wonder if they consulted with a lawyer before making this decision? That’s what I would be doing.
Answered here: https://news.ycombinator.com/item?id=42434349
I was referring to the actual rules, not what OP feels, or is pretending to feel for some agenda.
What agenda do you think the OP is following, and why do you think they'd do so now after their long (~3 decades!) history of running forums? There has been many other pieces of legislation in that time, why now?
I tried to think of an agenda, but I'm struggling to come up with one. I think OP just doesn't want to be sued over a vague piece of legislation, even if it was a battle they could win (after a long fight). Just like they said right there in the post.
It's kind of rude to imply that this is performative when they gave a pretty reasonable explanation.
The actual rules are vulnerable to this attack. https://www.legislation.gov.uk/ukpga/2023/50
If you think the attack won't be attempted, you've never been responsible for an internet forum.
The UK has just given up on being in any way internationally relevant. If the City of London financial district disappeared, within 10 years we'd all forget that it's still a country.
This feels relevant to your comment: https://archive.is/9V2Bf
Orgs are already fleeing LSEG for deeper capital markets in the US.
As an aside, the UK is a great tourist destination, especially if you leave London right after landing.
Beautiful landscape, the best breakfast around, really nice people, tons of sights to see.
Yes the end result of rich western nations that get strangled by government is to be a museum
I agree it’s tragic but out of all the ways a culture can strangle itself, museumification is the least horrible
How much damage can they withstand before they figure out how to stop hurting themselves? I wouldn't touch UK investment with a ten foot pole.
A lot more, the Online Safety Act is just a symptom of the structural problems (Lack of de-facto governance, A hopelessly out of touch political class, Voting systems that intentionally don't represent the voting results, etc).
Argentina has had nearly 100 years of decline, Japan is onto its third lost decade. The only other party in the UK that has a chance of being elected (because of the voting system) is lead by someone who thinks sandwiches are not real [1]. It's entirely possible the UK doesn't become a serious country in our lifetimes.
[1] https://www.politico.eu/article/uk-tory-leader-sandwiches-no...
> “I’m not a sandwich person, I don’t think sandwiches are a real food, it’s what you have for breakfast.” The Tory leader went on to confirm that she “will not touch bread if it’s moist.
The headline is clickbait. She didn't say that sandwiches are not real. She is saying that she doesn't believe it is a proper lunch/meal.
>A hopelessly out of touch political class
Orwell pointed this out in England your England which was written during the Blitz. Many of the problems he described have only got worse in the decades since he wrote about them in my opinion. While the essay is a bit dated now (it predates the post-war era of globalisation for example which created new axes in UK politics) I still think it's essential background reading for people who want to know what's wrong with the UK, and it's an excellent example of political writing in general.
Argentina is a great analog for the UK, time shifted by century. Both former first-class economies doomed to a long decline by bad policies that elites refuse to change.
Argentina was a rich country but never a rich industrialized country. At the time we were rich, we were exporting beef and importing everything that came from a factory. Later attempts at industrialization, after global protectionism and domestic infighting had already plunged us into relative poverty, were based on the flawed paradigm of import-substitution industrialization, whereas the UK was transitioning from mercantilism to Smithian liberalism when they industrialized, both of which put the highest possible priority on exports. London is the world's second biggest financial hub, a fact that accounts for a significant part of the English economy, while Buenos Aires was never a financial hub for anyone but Argentines, and even we bank in London, Omaha, or Montevideo whenever we have the choice.
Industrialization was somewhat successful; I am eating off an Argentine plate, on an Argentine table, with Argentine utensils (ironically made of stainless steel rather than, as would be appropriate for Argentina, silver) while Argentine-made buses roar by outside. A century ago, when we were rich, all those would have been imported from Europe or the US, except the table. My neighborhood today is full of machine shops and heavy machinery repair shops to support the industrial park across the street. Even the TV showing football news purports to be Argentine, but actually it's almost certainly assembled in the Tierra del Fuego duty-free zone from a Korean or Chinese kit.
There is not much similarity.
Well, I guess who decides the line between basic industrialization and import substitution? The bondholders?
Import substitution is not an alternative to basic industrialization. It's a policy advocated as a means to achieve basic industrialization. I regret that my comment was so misleading.
The usual alternative to import substitution industrialization is export-focused industrialization. Argentina and Brazil exemplify the former; Japan, Taiwan, South Korea, Hong Kong, and now the PRC exemplify the latter. The line between them is whether the country's manufactures are widely exported.
Hard disagree. Argentina is only similar to the UK insofar as they both deindustrialized starting in the 80s. Besides that, I have no idea why it would be a "great analog".
a hundreds year ago Argentine had a population of less than 8million people and the 8º biggest territory of highly fertile land. That's not even 20% of the current population. Argentina was never a developed country.
I don't think sandwiches are "real food" too, what's the problem with that specific case?
Not sure exactly, but the first think that comes to mind is "let them eat cake" vibes.
Have you considered handing off the forums to someone based outside of the UK? I'm sure you might be able to find a reasonable steward and divest without leaving your users stranded. You've worked very hard and have something to be proud of, I would hate to see it go.
None of this seems to describe exactly what the problem with this new act is. Can someone ELI5 what this new law does that means it's no longer safe to run your own forum?
I think that the fact that no one is fully sure is part of the problem.
The act is intentionally very vague and broad.
Generally, the gist is that it's up to the platforms themselves to assess and identify risks of "harm", implement safety measures, keep records and run audits. The guidance on what that means is very loose, but some examples might mean stringent age verifications, proactive and effective moderation and thorough assessment of all algorithms.
If you were to ever be investigated, it will be up to someone to decide if your measures were good or you have been found lacking.
This means you might need to spend significant time making sure that your platform can't allow "harm" to happen, and maybe you'll need to spend money on lawyers to review your "audits".
The repercussions of being found wanting can be harsh, and so, one has to ask if it's still worth it to risk it all to run that online community?
bearing in mind, this is also a country that will jail you for a meme post online.
The full agenda of course is: if we jail someone for the meme, then we get to force the company to remove the meme, and then we get to destroy the company if they do not comply with exacting specifications within exact times. Thus full control of speech, teehee modern technology brings modern loopholes! "shut up peon, you still have full right to go into your front yard and say your meme to the squirrels"
One that encourages people to riot in the streets? Yes we proudly jail the scum that do that
> The act is intentionally very vague and broad
Exactly the complaint that everyone on here made about GDPR, saying the sky would fall in. If you read UK law like an American lawyer you will find it very scary.
But we don't have political prosecuters out to make a name for themselves, so it works ok for us.
From Wikipedia:
> The act creates a new duty of care of online platforms, requiring them to take action against illegal, or legal but "harmful", content from their users. Platforms failing this duty would be liable to fines of up to £18 million or 10% of their annual turnover, whichever is higher.
Doesn't that 18 million minimum disproportionately effect smaller operations risk wise? Or is that the point?
Yes, but it sounds like part of the point is that you want to put the fear of the Lord into small-fry operators.
They mention especially in their CSAM discussion that, in practice, a lot of that stuff ends up being distributed by smallish operators, by intention or by negligence—so if your policy goal is to deter it, you have to be able to spank those operators too. [0]
> In response to feedback, we have expanded the scope of our CSAM hash-matching measure to capture smaller file hosting and file storage services, which are at particularly high risk of being used to distribute CSAM.
Surely we can all think of web properties that have gone to seed (and spam) after they outlive their usefulness to their creators.
I wonder how much actual “turnover” something like 4chan turns over, and how they would respond to the threat of a 10% fine vs an £18mm one…
[0] https://www.ofcom.org.uk/online-safety/illegal-and-harmful-c...
It's worth noting that integrating a CSAM hash scanner is easy to do. It took me a few hours to do the work, including testing and automatic database updates.
HOWEVER: I'm not sure how you would get access to the CSAM hash database if you're were starting a new online image hosting service.
The requirements to sign up for IWF (the defacto UK CSAM database) membership are:
- be legally registered organisations trading for more than 12 months;
- be publicly listed on their country registration database;
- have more than 2 full-time unrelated employees;
- and demonstrate they have appropriate data security systems and processes in place.
Cloudflare have a free[1] one but you have to be a Cloudflare customer.
Am I missing something, or does this make it very difficult to start up a public facing service from scratch?
Yes. The regulation is set up to destroy smaller startups & organisations; the only folks who have a hope of complying with it are Big Tech.
AKA "regulatory capture".
It's a minimum maximum. The amount is still "up to" and courts rarely assign the maximum penalty for anything. It seems aimed at platforms which really break the rules, but are run at minimal cost. Basically a value of "what do you charge a minimal forum run at cost, with sole purpose of breaking all these rules".
Sure, it's "up to", but how low can you assume things will go? 5% would still destroy someone.
It is not 18 million minimum, it is up to 18 million... unless you are so big that the second criteria affects you, then it is up to that.
The purpose of a system is what it does
It is essentially requiring tech companies to work for the UK government as part of law enforcement. They are required to monitor and censor users or face fines and Ofcom has the ability to shutdown things they don't like.
This basically ensures that the only people allowed to host online services for other people in the UK will be large corporations. As they are the only ones that can afford the automation and moderation requirements imposed by this bill.
You should be able to self-host content, but you can't do something like operate a forums website or other smaller social media platform unless you can afford to hire lawyers and spend thousands of dollars a month hiring moderators and/or implementing a bullet proof moderation system.
Otherwise you risk simply getting shutdown by Ofcom. Or you can do everything yo are supposed to do and get shutdown anyways. Good luck navigating their appeals processes.
I don't mind getting shut down so much as I mind getting a fine for millions when my small little website doesn't make any money.
But surely no right minded judge would do such a thing, right?
UK fines are proportionate. So no. No UK judge will fine a small website 18m
> this is not a venture that can afford compliance costs... and if we did, what remains is a disproportionately high personal liability for me, and one that could easily be weaponised by disgruntled people who are banned for their egregious behaviour
I'm a little confused about this part. Does the Online Safety Act create personal liabilities for site operators (EDIT: to clarify: would a corporation not be sufficient protection)? Or are they referring to harassment they'd receive from disgruntled users?
Also, this is the first I've heard of Microcosm. It looks like some nice forum software and one I maybe would've considered for future projects. Shame to see it go.
The linked page has this phrasing, which I’m not entirely sure what it means, but could be understood as personal liability?
> Senior accountability for safety. To ensure strict accountability, each provider should name a senior person accountable to their most senior governance body for compliance with their illegal content, reporting and complaints duties.
I don't see that makes the person personally liable at all. It just gives them a direct line to the compliance board.
I think OP feels it indirectly creates massive personal liabilities for site operators, in that a user can deliberately upload illegal material and then report the site under the Act, opening the site operator up to £18M in fines.
This seems very plausible to me, given what they and other moderators have said about the lengths some people will go to online when they feel antagonised.
Zero chance it will be enforced like this.
The UK has lots of regulatory bodies and they all work in broadly the same way. Provided you do the bare minimum to comply with the rules as defined in plain English by the regulator, you won't either be fined or personally liable. It's only companies that either repeatedly or maliciously fail to put basic measures in place that end up being prosecuted.
If someone starts maliciously uploading CSAM and reporting you, provided you can demonstrate you're taking whatever measures are recommended by Ofcom for the risk level of your business (e.g. deleting reported threads and reporting to police), you'll be absolutely fine. If anything, the regulators will likely prove to be quite toothless.
Hopefully the new law is enforced sensibly, i.e., with much leniency given to smaller defendants, but hoping for that to be the case is a terrible strategy. The risk is certainly not zero as you claim -- all it takes is for one high-profile case of leniency resulting in some terrible outcome (e.g., child abuse) getting into the news, and the government employees responsible for enforcement will snap to a policy of zero-tolerance.
> provided you can demonstrate you're taking whatever measures are recommended by Ofcom
That level of moderation might not be remotely feasible for a sole operator. And yes, there's a legitimate social question here: Should we as a society permit sites/forums that cannot be moderated to that extent? But the point I'm trying to make is not whether the answer to that question is yes or no, it's that the consequences of this Act are that no sensible individual person or small group will now undertake the risk of running such a site.
While they could, I'm pretty sure that's already illegal, probably in multiple ways.
In the same way that you could be sued for anything, I'm sure you could also be dragged to court for things like that under this law... And probably under existing laws, too.
That doesn't mean you'll lose, though. It just means you're out some time and money and stress.
>While they could, I'm pretty sure that's already illegal, probably in multiple ways
Heh, welcome to the internet where the perpetrator and the beneficiary can be in different jurisdictions that make enforcement on the original bad actors impossible.
For example, have a friend in China upload something terrible to a UK site and then 'drop the dime' to a regular in the UK. The UK state can easily come after you and find it nearly impossible to go after the international actor.
>In the same way that you could be sued for anything,
The risk and cost imbalance is much more extreme than that of a lawsuit.
I'm confident that, were I sufficiently motivated, I could upload a swathe of incriminating material to a website and cover my tracks within a couple of hours, doing damage that potentially costs the site operator £18M with no risk to myself -- not even my identity would be revealed. OTOH, starting a lawsuit at the very least requires me to pay for a lawyer's time, my face to appear in the court -- and if the suit is thrown out, I'll need to pay their court costs, too.
Again, sounds like the nonsense spoken on here when GDPR came out. Everyone was going to get fined millions. Except people with violations actually got compliance advice from the ICO. They only got fined (a small amount of money) when they totally ignored the ICO
I did a double take when I saw this here. I’ve lurked on LFGSS, posted from time to time and bought things through it. Genuinely one of the best online communities I’ve been in, and the best cycling adjacent one by far.
Having said all that, I can’t criticise the decision. It makes me sad to see it and it feels like the end of an era online
Might the author be overreacting a bit to this new law? As I understand it, it doesn't put that much of an onerous demand on forum operators.
Then again, maybe he's just burnt out from running these sites and this was the final straw. I can understand if he wants to pack it in after so long, and this is as good reason as any to call it a day.
Though, has no-one in that community offered to take over? Forums do change hands now and then.
> Might the author be overreacting a bit to this new law
As i have read it, no, it's worth a read to see for yourself though.
> it doesn't put that much of an onerous demand on forum operators.
It doesn't until it does, the issue is the massive amount of work needed to cover the "what if?".
It's not clear that it doesn't apply and so it will be abused, that's how the internet works, DMCA, youtube strikes, domain strikes etc.
> Then again, maybe he's just burnt out from running these sites and this was the final straw. I can understand if he wants to pack it in after so long, and this is as good reason as any to call it a day.
Possibly, worth asking.
> Though, has no-one in that community offered to take over? Forums do change hands now and then.
Someone else taking over doesn't remove the problem, though there might be someone willing to assume the risk.
If it is anything like GDPR enforcement in the UK, the 'what if' situation is Ofcom writing to you asking you to comply.
GDPR enforcement is bullshit because it was made by people who don't know what they are doing and didn't understand how much effort would be needed to actually prove there is a problem.
Honestly, same could be said for this one, it reads less like an attempt at making the internet better and more like a technical sounding PR stunt with sneaky power encroachment thrown in.
"We just need you to uses your government ID to sign in because of the children, we have a long track record of competent execution, maintenance and accountability, we are 100% not going to use this for other ...reasons"
It's the same governmental "Trust me bro, think of the children" they always throw out.
Outside of the intelligence agencies the UK government is absolutely diabolical at anything technical, chronically overbudget (because their original budget was decided by someone in an office with no actual experience managing an IT project) on projects they outsourced to corrupt friends who siphon the money away, not just IT, all projects.
They pay atrociously for the level of skill required for the positions advertised, so they get middle of the road staff, which isn't a problem normally, middle of the road is the backbone of IT projects.
The problem arises when you get actively bad project management, either incompetence or outright maliciousness, throw in some glacial bureaucracy laden processes that didn't work when they were drafted 40 years ago, let alone now.
and you get an entire industry of corruption and mediocrity.
/rant
anyway, i mean, sure you can take the lacklustre GDPR enforcement and use that to make decisions going forward, i wouldn't personally, because i don't think a single data point is a good basis for risk assessment.
DMCA, youtube copyright strikes, domain strikes, bank transaction complaints/chargebacks, all are mechanisms used to attack internet based businesses.
Do they serve a purpose, debatable, are they misused on a regular basis, absolutely.
This isn't a "the sky is falling" this is a "They have put into law the ability to drop the sky on me just because they (the government, or disgruntled internet denizens) feel like it"
It's up to you to decide how likely you think that is and plan accordingly.
There was a story very recently about the whole of itch.io going down because of some overzealous rent-seeking bullshit middleman (hired by rent-seeking bullshit artist FunkoPop)
> Might the author be overreacting a bit to this new law? As I understand it, it doesn't put that much of an onerous demand on forum operators.
As the manager of a community where people meet in person, I understand where he is coming from. Acting like law enforcement puts one in a position to confront dangerous individuals without authority or weapons. It is literally life-endangering.
Please consider working with Archive Team and/or the Internet Archive to preserve the content of the site.
you don't need archiveteam to save databases you already have. just dump the PII columns and put 'em up for torrent.
An insightful comment on this from an American context, but about basically the same problem [0]
> Read the regs and you can absolutely see how complying with them to allow for banana peeling could become prohibitively costly. But the debate of whether they are pro-fruit or anti-fruit misses the point. If daycares end up serving bags of chips instead of bananas, that’s the impact they’ve had. Maybe you could blame all sorts of folks for misinterpreting the regs, or applying them too strictly, or maybe you couldn’t. It doesn’t matter. This happens all the time in government, where policy makers and policy enforcers insist that the negative effects of the words they write don’t matter because that’s not how they intended them.
> I’m sorry, but they do matter. In fact, the impact – separate from the intent – is all that really matters.
[0] https://www.eatingpolicy.com/p/stop-telling-constituents-the...
That's an excellent article. Another quote I found especially relevant:
>Every step that law takes down the enormous hierarchy of bureaucracy, the incentives for the public servants who operationalize it is to take a more literal, less flexible interpretation. By the time the daycare worker interacts with it, the effect of the law is often at odds with lawmakers’ intent.
Put another way, everyone in the chain is incentivized to be very risk averse when faced with a vague regulation, and this risk aversion can compound to reach absurd places.
I'm ignoring the comments, they seem to be all about the posters themselves.
I have no knowledge of your site, but I'm still sad to see it having to shut down.
> as a forum moderator you are known, and you are a target
I want to emphasize just how true this is, in case anyone thinks this is hyperbole.
I managed a pissant VBulletin forum, and moderated a pretty small subreddit. The former got me woken up at 2, 3, 4am with phone calls because someone got banned and was upset about it. The latter got me death threats from someone who lived in my neighborhood, knew approximately where I lived, and knew my full name. (Would they have gone beyond the tough-guy-words-online stage? Who knows. I didn't bother waiting to find out, and resigned as moderator immediately and publicly.)
> I managed a pissant VBulletin forum, and ... got me woken up at 2, 3, 4am with phone calls because someone got banned and was upset about it.
I home-hosted a minecraft server and was repeatedly DDoS'd. Don't underestimate disgruntled 10yo's.
It's much more responsible to put this whole thing into some nonprofit trust format and hand it over to someone with the time and energy to handle it. This also would not exclude you from volunteering.
This is what bad legislation does, punish small communities!
Are you Velocio? Thanks for all the hard work!
Sad that lufguss will probably become just another channel on one of the big platforms. RIP.
yup, and thank you for the kind words
It's insane that they never carved out any provisions for "non big-tech".
I feel like the whole time this was being argued and passed, everyone in power just considered the internet to be the major social media sites and never considered that a single person or smaller group will run a site.
IMO I think that you're going to get two groups of poeple emerge from this. One group will just shut down their sites to avoid running a fowl of the rules and the other group will go the "go fuck yourself" route and continue to host anonymously.
> It's insane that they never carved out any provisions for "non big-tech".
Very little legislation does.
Two things my clients have dealt with: VATMOSS and GDPR. The former was fixed with a much higher ceiling for compliance but not before causing a lot of costs and lost revenue to small businesses. GDPR treats a small businesses and non profits that just keep simple lists for people (customers, donors, members, parishioners, etc.) has to put effort into complying even thought they have a relatively small number of people's data and do not use it outside their organisation. The rules are the same as for a huge social network that buys and sells information about hundreds of millions of people.
Do you know a small business that has got into trouble with GDPR?
You can filter this list to see 200+ GDPR fines assigned to sole proprietors, the smallest of small businesses, individuals that haven't even registered a separate entity for their business:
https://www.enforcementtracker.com/
They're only cataloging the (2500+) publicly known ones, most of which have a link to a news article. As an example: some guy in Croatia emailed a couple websites he thought might be interested in his marketing services, and provided a working opt-out link in his cold emails. One of them reported the email to the Italian Data Protection Authority who then put him through an international investigation and fined him 5000 euro.
"Assuming here that the reasons expressed in the aforementioned document have been fully recalled, [individual] was charged with violating articles 5, par. 1, letter a), 6, par. 1, letter a) of the Regulation and art. 130 of the Code, since the sending of promotional communications via e-mail was found to have been carried out without the consent of the interested parties. Therefore, it is believed that - based on the set of elements indicated above - the administrative sanction of payment of a sum of €5,000.00 (five thousand) equal to 0.025% of the maximum statutory sanction of €20 million should be applied."
It's worth noting that each country has a different approach to GDPR enforcement (which arguably defeats the point of it but that's another discussion).
The UK tends to be a lot more (IMO) reasonable in its approach than some other European countries. Italy tends to be one of the strictest, and likes to hand out fines, even to private individuals for things like having a doorbell camera. The UK has only fined one person on that basis, and it was more of a harassment case rather than just simply that they had a camera.
ICO and Ofcom aren't generally in the business of dishing out fines unless it's quite obviously warranted.
To clarify, I'm not interested in this, because it doesn't answer the question at all. I don't want a Googled answer, I want personal experience.
For instance, I know of a company that flouted GDPR and got multiple letters off the ICO trying to help them with compliance before finally, months later, they ended up in court and got a very small fine.
Edit: it is not cool to edit your post after I replied to make it look more reasonable
I'm sure Big Tech helped to write the bill.
> I feel like the whole time this was being argued and passed, everyone in power just considered the internet to be the major social media sites and never considered that a single person or smaller group will run a site.
Does this shock you? I don't recall a time in memory where a politician discussing technology was at best, cringe and at worst, completely incompetent and factually wrong.
Off the top of my head Oregon Senator Ron Wyden. I’m sure there are others. Millennials are in office now.
> Off the top of my head Oregon Senator Ron Wyden. I’m sure there are others
If we exclude politicians whose tech awareness is curated by lobbyists, Ron Wyden may be the entire list.
Ok, did you perform this audit of all US politicians? Or are you just spreading FUD?
I don't think FUD is on the table at this stage in the discussion. And I'm not sure why you chose a confrontational stance for your question.
But for an answer, I've done what folks do - spent decades carefully listening to legislators (and judges!) reveal their expertise in the fields I work and interact with.
Ron Wyden aside, authentic technical competency from legislators is so uncommon it stand out. Glaringly. What technical acumen we do get pretty much always rhymes with lobbyists talking points.
I expect my perspective to be boringly familiar here.
And AFAIK, we don't have any other Ron Wydens serving in Congress or coming onboard.
That is, someone with the basic technical understanding to foresee reasonable downstream consequences of the laws they vote on. Not someone with a minimal technical awareness that was crafted to be a lobbyists tool.
I will be genuinely grateful if someone would correct me here.
> Millennials are in office now.
The most stupid influencers, at least in my country.
> Millennials are in office now.
So? Tons of millennials barely understand technology too. I'd say a politician being one makes the odds they know tech marginally better, but I still interact with people of my generation that barely know what a filesystem is, let alone how to make one, or why it's important.
This seems like a classic "Don't interrupt your adversary when they are making a mistake" situation.
The EU and UK have been making these anti-tech, anti-freedom moves for years. Nothing can be better if you are from the US. Just hoover up talent from their continent.
Have you seen how difficult US immigration is to navigate? It's impossible for most people, and about to get even harder soon.
Even if US immigration were more liberal, moving is very costly (financially, emotionally, psychologically). Injustice anywhere is a threat to justice everywhere.
That's terrible. Hopefully the users can make backups (of at least what has already been posted, if not of their ongoing social connections) before the shutdown. It's good that you can provide such notice. Are you providing tarballs?
Okay, I'm putting up a new bbs in the US that is only going to be accessible via SSH modern terminal only... UK users will be more than welcome.
I've been wanting to pay with remote modern terminals and Ratatui anyway.
The whole government page at https://www.ofcom.org.uk/online-safety/illegal-and-harmful-c... has an off-putting and threatening tone, celebrating how wonderful it is that online spaces will be tied in bureaucratic knots. Disgraceful.
I host a Mastodon server in the US. I almost wish I could get a legal threat from the UK so that I could print it and hang it on my wall as a conversation piece.
I have zero legal connection to the UK and their law doesn't mean jack to me. I look forward to thoroughly ignoring it, in the same way that I thoroughly ignore other dumb laws in other distant jurisdictions.
UK, look back on this as the day -- well, another day -- when you destroyed your local tech in favor of the rest of the world.
The hacker in me is real grumpy about all this, and believes that they’re nannying a whole lot of the dumb superficial stuff while pushing serious malfeasance underground.
But they make a good point: if you exclude the smaller providers, that’s where the drugs and CSAM and the freewheeling dialog go. Assuming it’s their policy goal to deter these categories of speech, I’m not sure how you do that without a net fine enough to scoop up the 4chans of the world too.
It’s not the behavior of a confident, open, healthy society, though…
> if you exclude the smaller providers, that’s where the drugs and CSAM and the freewheeling dialog go.
- Bad actors go everywhere now.
- £18 million fines seem like a fairly unhinged cannon to aim at small webistes.
- A baseless accusation is enough to trigger a risk of life-changing fines. Bad actors don't just sell drugs and freewheel; they also falsely accuse.
18m maximum fine.
The cure is worse than the disease.
As a quick cheatsheet, laws targeting CSAM are always just tools to go after other things.
CSAM is absolutely horrible.. but CSAM laws don't stop CSAM (primarily this happens from group defections).
Instead it's just a form of tarring, in this case unliked speech, by associating it with the most horrible thing anyone can think of.
People seem to forget that the more legislation there is around something the more it is only feasible to do if you are a corporate person. Human persons just don't have the same rights or protections from liabilty.
This is something the EU got right for once in the DMA/DSA: It only applies starting from a certain, large size - if you're that big, you can afford the overhead.
It also raises the barrier to entry for newcomers, ensuring established large players continue to consolidate power, since they have the means to deflect and defend themselves from these regulations (unless there are specific carve-outs in place, of course).
This effectively makes censorship much simpler for the government, no need to chase down a million little sites,just casually lean on the few big ones remaining.
Skying too! Way fewer taps required.
It's not like there are laws that are more lenient with non-profits or with tiny companies right?
The EU's digital markets act is one that got that right and I love it. But it's the exception to the rule. The vast majority of such laws are for the benefit of the corporations themselves, despite any ostensible purposes. And this is definitely in that latter category.
"glad that EU overregulation doesn't hamper the freedom of the United kingdom any more."
what can we do about this creep up of totalitarian surveillance plutocracy?
sweet were the 1990s with a dream.of.information access for all.
little did we know we were the information being accessed.
srry
very un-HN-y.. maybe it's just the time of the year but this really pulls me down currently.
Also a lot of other EU regulations do the same.
Sometimes it's explicitly mentioned but oftentimes it's behind "appropriate and proportionate measures"
But most don't. GDPR for example. It's pretty wack that random people coming to my neighborhood BBQ can demand I give them the backyard surveillance camera recording or force me to delete it (a metaphor for a personal website logs). Such makes perfect sense for a corporation but none when applied to a human person and context.
We should make the laws for our digital spaces for human person use cases first, not corporate person use cases. Even if it's in the sense of trying to protect humans from corporations.
Good news:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A...
2. This Regulation does not apply to the processing of personal data: (c) by a natural person in the course of a purely personal or household activity;
That does not include security cameras: https://www.gov.uk/government/publications/domestic-cctv-usi...
From that link:
Most European countries have laws for recording spaces not your own. They typically predate the GDPR by decades. AFAIK, they are not harmonized, except for a tiny bit by the GDPR.If your CCTV system captures images of people outside the boundary of your private domestic property...If I understand it well, this is a big difference between the USA where you can mostly record the public space and create databases of what everyone does in public. IN Europe (even outside the EU), there is a basic expectation of privacy even in public spaces. You are allowed to make short term recordings, do journalism, and have random people accidentally wander in and out of your recording. Explicitly targetting specific people or long-term recording is somewhere between frowned upon to flat out illegal.
Indeed, or VATMOSS, which made all small merchants move their ecommerces to Amazon, Gumroad (and Paddle) to avoid the complexity
If you read the guidance:
https://www.ofcom.org.uk/siteassets/resources/documents/onli...
It amounts to your basic terms of service. It means that you'll need to moderate your forums, and prove that you have a policy for moderation. (basically what all decent forums do anyway) The crucial thing is that you need to record that you've done it, and reassessed it. and prove "you understand the 17 priority areas"
Its similar for what a trustee of a small charity is supposed to do each year for its due diligence.
Yep super simple. You just have to make individual value judgements every day on thousands of pieces of content for SEVENTEEN highly specific priority areas. Then keep detailed records on each value judgement such that it can hold up to legal scrutiny from an activist court official. Easy peasy.
If you read that guidance, it wants you to have a moderation policy for 17 specific priority areas. You need prove you can demonstrate that you have thought about it. You need to have a paper trail that says you have a policy and that its a policy. You _could_ be issued with a "information notice", which you have to comply with. Now, you could get that already, with the RIPA, as a communications provider.
this is similar to running a cricket club, or scout club
For running a scout association each lesson could technically require an individual risk assessment for every piece of equipment, and lesson. The hall needs to be safe, and you need to prove that it's safe. Also GDPR, and safeguarding, background checks, money laundering.
> hold up to legal scrutiny from an activist court official
Its not the USA. activist court officials require a functioning court system. Plus common law has the concept of reasonable. A moderated forum will be of a much higher standard of moderation than facebook/twitter/tiktok.
Any competent forum operator is already doing all of this (and more) just without the government-imposed framework. Would the OP allow CSAM to be posted on their website? No. Would the OP contact the authorities if they caught someone distributing CSAM on their website? Yes. Forum administrators are famous (to the point of being a meme) for their love of rules and policies and procedures.
> Any competent forum operator is already doing all of thisYou just have to make individual value judgements every day on thousands of pieces of content for SEVENTEEN highly specific priority areas. Then keep detailed records on each value judgement such that it can hold up to legal scrutiny from an activist court official.What is your evidence that the record keeping described by the parent is routine among competent forum operators?
No, not at all. You need to consider your service's risks against those seventeen categories once, and then review your assessment at least every year.
From the linked document above: "You need to keep a record of each illegal content risk assessment you carry out", "service providers may fully review their risk assessment (for example, as a matter of course every year)"
And links to a guidance document on reviewing the risk assessment[1] which says: "As a minimum, we consider that service providers should undertake a compliance review once a year".
[1] https://www.ofcom.org.uk/siteassets/resources/documents/onli...
Is the trustee of a small charity on the hook for £18,000,000 in minimum fines?
The maximum fines are 10% of "qualifying worldwide revenue", or £18M, whichever is larger. This is an exercise in stopping companies from claiming tiny revenues when they're actually much larger, rather than fining genuinely tiny companies (or individuals) a ridiculous multiple of their value (or wealth).
Plenty of things in UK law attract "an unlimited fine", but even that doesn't lead to people actually being fined amounts greater than all the money that's ever existed.
Sounds like a legally risky environment. One of the biggest things we've understood about the world over the last century has been that commerce flourishes under an environment of legal certainty.
Trustees for small charities can be personally liable for unlimited amounts.
GDPR, Safeguarding, liability for the building you operate in, money laundering. there are lots of laws you are liable for.
Most people don't have time to wade through that amount of bureaucratic legalese, much less put it into practice.
I run just over 300 forums, for a monthly audience of 275k active users
I can't imagine one person running over 300 forums with 275,000 active users. That gives you an average of eight minutes a week to tend to the needs of each one.
I used to run a single forum with 50,000 active users, and even putting 20 hours a week into it, I still didn't give it everything it needed.
I know someone currently running a forum with about 20,000 active users and it's a full-time job for him.
I don't understand how it's possible for one person to run 300 forums well.
With 1 or 2 competent mods, a forum can be very low-maintenance.
When I was running the 50,000 user forum, I had five. Mods are great, but I still can't grok 300+ forums all being done well. He'd need hundreds of mods.
I seriously doubt a large portion of those 300+ forums have tens of thousands of users.
>Any monies donated in excess of what is needed to provide the service through to 16th March 2025 will be spent personally on unnecessary bike gear or astrophotography equipment, but more likely on my transition costs as being transfemme I can tell you there is zero NHS support and I'm busy doing everything DIY (reminder to myself, need to go buy some blood tests so I can guess my next dosage change)... Not that I imagine there will be an excess, but hey, I must be clear about what would happen if there were an excess.
I would argue the honorable thing to do in the event excess monies remain would be to donate it to a charity. Using it for personal ends, whatever the details, is wrong because that's not what the donations were for.
Why not hand it over to someone else who would take the risk?
Seems a bit megalomaniacal.
"I'm not interested in doing this any more. Therefore I'll shut it down for everyone"
Because then they're responsible, at least socially, for the things the new admin does.
This way, people have been given plenty of advanced notice and can start their own forums somewhere instead. I'm sure each of the 300 subforums already has some people running them, and they could do the above if they actually cared.
I find it hard to believe someone will take over 300 forums out of the goodness of their hearts and not start making it worse eventually, if not immediately.
Specious reasoning.
Does everyone else remember when GDPR came out and everyone running a website was extradited to Europe and fined a billion pounds.
The laughable thing is believing that Ofcom has any budget to prosecute anyone, let alone a small website.
I don't understand this decision. Running a website as an individual is a liability risk for all sorts of reasons for which there are simple (and cheap) mitigations. Even if you believe this legislation is a risk, there are options other than shutting down. The overreaction here is no different than when GDPR came in, and we all collectively lost our minds and started shutting things down and then discovered there was zero consequence for mom-and-pop websites. I assume this isn't a genuine post and is actually an attempt at some sort of protest, with no intention of actually shutting down the websites. Or, more likely, they're just old and tired and ready to move on from this period of their life, running these websites.
the real risk I see is that as it's written, and as Ofcom are communicating, there is now a digital version of a SWATing for disgruntled individuals.
the liability is very high, and whilst I would perceive the risk to be low if it were based on how we moderate... the real risk is what happens when one moderates another person.
as I outlined, whether it's attempts to revoke the domain names with ICANN, or fake DMCA reports to hosting companies, or stalkers, or pizzas being ordered to your door, or being signed up to porn sites, or being DOX'd, or being bombarded with emails... all of this stuff has happened, and happens.
but the new risk is that there is nothing about the Online Safety Act or Ofcom's communication that gives me confidence that this cannot be weaponised against myself, as the person who ultimately does the moderation and runs the site.
and that risk changes even more in the current culture war climate, given that I've come out, and that those attacks now take a personal aspect too.
the risk feels too high for me personally. it's, a lot.
I used to frequent the forum about 15 or so years ago. This guy is very level headed and has been around the block a lot. Therefore I don't believe this is purely performative.
I like and respect the OP and their work. I do not think this is consistent with his previous levelheadedness.
edit: removed unintentional deadnaming
As I said I haven't frequented the forum for years, so maybe things have changed but I highly doubt this is a knee jerk reaction.
thank you for removing the deadname.
A fair number of sites hosted and operated outside the European Union reacted to GDPR by instituting blocks of EU users, many returning HTTP 451. Regardless of whether you believe GDPR is a good idea or not (that's beyond the scope of this comment), the disparity in statutory and regulatory approaches plus widely varying (often poor) levels of 'plain language' clarity in obligations, and inconsistent enforcement, it all leads to entirely understandable decisions like this and more of a divided internet.
Thank you to those who have tirelessly run these online communities for decades, I'm sorry we can't collectively elect lawmakers who are more educated about the real challenges online, and thoughtful on real ways to solve them.
What are the simple and cheap mitigations you have in mind?
Don't run a website personally, set up a separate legal entity. The UK is one of the easiest places in the world to do this and has well-understood legal entities that fit the model of a community-operated organisation (i.e: "community interest company"). The fact that the OP is running such a large community as an individual is bonkers in the first place, independent of this new act.
It raises the cost and hassle involved from "I need a cheap hosting package" to I need to do paperwork, keep and file accounts, etc.
Personally, I think it's bonkers that an individual can't run an online forum.
I agree but that ship sailed a decade ago. There's no additional risk with the new bill, it's more of the same. If there are concerns about liability because of this new bill then there should be concerns about liability already.
I sympathise with the OP because at some point everyone becomes too old to deal with the headaches of running a community. I have no opposition to their choice to shut down the forum. I just don't believe liability as a result of the new bill is the reason.
> I just don't believe liability as a result of the new bill is the reason.
It seems like OP is commenting on this thread; you can accuse them of lying directly, if you'd like.
but there is additional risk and liability, because the new act creates more work in order to be compliant (which is what increases the liability), and it increases the risk of being attacked.
there's never been an instance of any of the proclaimed things that this act protects [...] people from, so he should be safe, right?
but despite this, he is already being attacked, and those attacks will not just continue but they are likely to increase because the attack surface has become larger.
Are you claiming that setting up a CIC removes individual liability for wrongdoing? So, I set up a CIC for running forums, with $0 of assets and negligible running costs, then in the event of a fine I'm scot free?
Yes. A CIC is just a limited company with some additional community interest obligations. You can set up a limited company to shield yourself from liability (i.e: if your website is sued by a user, your personal assets aren't at risk) and only in exceptional cases (where serious lawbreaking is involved) could you be held personally liable.
Rightly or wrongly, limited companies in the UK provide a high degree of protection for wrongdoing. Defrauding HMRC out of hundreds of thousands of pounds and suffering no consequence is happening day in day out. An Ofcom fine is nothing by comparison.
1. Thanks for this very helpful information about how some seemingly quite simple legal manoeuvring can be used to dodge 99% of this law.
2. Doesn't the fact that simple legal manoeuvring can be used to dodge 99% of this law make the law (and laws like it) farcical on its face? Merely an elaborate set of extra hoops that only serves to punish the naive, while increasing everyone's compliance costs?
The law is designed to target large companies that aren't seen as doing enough to prevent harm on the internet. Setting up a CIC doesn't dodge the law, the legal entity (the CIC) remains accountable for conduct on the website. Setting up a CIC removes the risk from the individual website operator because they're no longer operating the website, instead the website is operated by a separate legal entity. The website could still be held accountable for violating the law but the consequence would be the CIC is fined, not the individual behind it. The same principle as any limited liability company.
In the U.S. we have the concept of "piercing the corporate veil" whereby if you can prove that a LLC (effectively a corporate entity created to shield owner's liability) is a flimsy legal device whose only intent is to skirt laws like this one, you are able to go after the LLC owner personally anyway.
Does the UK have a similar concept?
Yes it has the concept. But like the previous poster said, it can only be used in very serious criminal wrongdoing.
>the consequence would be the CIC is fined
Does this in practice mean that the original human person would have to pay that fine? What would the consequences likely be for the original human person?
If those consequences remain severe, then it's not a simple legal manoeuvre after all. This reduces farcicality, but also means there's no way for an individual to safely run this kind of website.
If those consequences round to zero, my next question would be: Can a large company spin up a CIC just to shield itself in the same way? (If so, it seems the farce would be complete.)
In practice the person would not have to pay the fine. The company would. If the company had no cash to pay it then it could be forced into insolvency.
No a large company can't spin up a CIC to run a business website (because it is not community interest), but it doesn't need to, it is already a limited liability company. However this is not a farce, the limited liability applies to the shareholders, not the company. The company gets fined, and has to pay the fine or risk having its assets siezed.... then the shareholders have lost their company. The liability of the shareholders is limited to the shareholders invested amount, ie the shareholders can't lose any more than they put in. So if the fine was more than the company can afford, the shareholders lose their company, but don't have to pay the rest.
It is not a farce, because losing a profit earning company is bad for a shareholder
Thanks for the explanation. However, there's one thing I've now realised I'm not clear on:
Could a company create a non-CIC sub-company (with ~$0 in assets) to own the website, and thereby shield shareholders of the original company? (If so, I think farcicality is conserved.)
How would that work if someone set up a CIC, used it to rent a VPS and did some grey-hat hacking activities?
If the person committed a criminal offence under the Computer Misuse Act then they would face criminal sanctions, personally.
The Online safety bill gives Ofcom the power to levy regulatory fines, not criminal sanctions, so is very different
Assuming you regard the cost of keeping and filing accounts and other paperwork, annual registration fees, etc. as negligible yes.
Keeping accounts: cost, depends on if you make any money. If you do then you would have to keep accounts even if not a CIC!
Filing accounts: £15. An online form will ask you for your balance sheet summary only unless you are very large.
One off registration:£65
Annual confirmation statement:£34
So depends on your perspective I suppose.
There are plans to remove the small company p & l exemption and new rules on verifying directors ids. Costs are going up too. It looks like a CIC you can only file online if full accounts. https://find-and-update.company-information.service.gov.uk/a...
You have to keep accounts if a business even if not incorporated. A company has to keep accounts if it has any assets (e.g. a domain) or any financial transactions (e.g. paying for hosting)
You will also probably have to file a tax return. You have to keep a register of shareholders.
In fact if definitely not making a profit a standard ltd might be simpler (or maybe a company limited by guarantee) then a CIC as all a CIC does it add restrictions and extra regulation https://assets.publishing.service.gov.uk/media/5a7b800640f0b...
>You have to keep accounts if a business even if not incorporated
Indeed, so this cost is not relevant to the decision to set up a CIC or not